Mapping:
{
"log":{
"properties":{
"detail":{
"type":"nested",
"properties":{
"attribute":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword",
"ignore_above":256
}
}
},
"newValue":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword",
"ignore_above":256
}
}
}
}
},
"source":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword",
"ignore_above":256
}
}
},
"status":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword",
"ignore_above":256
}
}
}
}
}
Data:
[
{
"_index":"audit_test_2",
"_type":"log",
"_id":"706yUXEBcaL3UicXEjIg",
"_score":1.6486586,
"_source":{
"status":"Successful",
"source":"Control Room",
"detail":[
{
"attribute":"Name",
"oldValue":null,
"newValue":"Folder1"
},
{
"attribute":"Version",
"oldValue":null,
"newValue":"2.0.0-20200114-060012"
},
{
"attribute":"Status",
"oldValue":null,
"newValue":"DISABLED"
}
]
}
},
{
"_index":"audit_test_2",
"_type":"log",
"_id":"8E6yUXEBcaL3UicXIzK0",
"_score":1.6486586,
"_source":{
"status":"Successful",
"source":"Control Room",
"detail":[
{
"attribute":"Name",
"oldValue":null,
"newValue":"Folder2"
},
{
"attribute":"Version",
"oldValue":null,
"newValue":"2.0.0-20200114-060012"
},
{
"attribute":"Status",
"oldValue":null,
"newValue":"DISABLED"
}
]
}
}
]
My current query:
{
"query": {
"nested": {
"path": "detail",
"query": {
"bool": {
"must": [
{
"match": {
"detail.newValue.keyword": "DISABLED"
}
}
]
}
}
}
}
}
How can I modify the query to get the result of one JSON object having "newValue": "Folder1" && "newValue": "DISABLED"? The above query expectedly returns both objects.